Added new permission to set password.

This commit is contained in:
Norman Jäckel 2019-01-19 09:52:13 +01:00
parent 1cdeb3bcb8
commit 4da87d520d
5 changed files with 37 additions and 1 deletions

View File

@ -38,6 +38,7 @@ Motions:
User:
- Added new admin group which grants all permissions. Users of existing group
'Admin' or 'Staff' are move to the new group during migration [#3859].
- Added new permission to set its own password [#4131].
- Added gender field [#4124].

View File

@ -0,0 +1,23 @@
# Generated by Django 2.1.5 on 2019-01-19 08:41
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('users', '0008_user_gender'),
]
operations = [
migrations.AlterModelOptions(
name='user',
options={
'default_permissions': (), 'ordering': ('last_name', 'first_name', 'username'),
'permissions': (
('can_see_name', 'Can see names of users'),
('can_see_extra_data', 'Can see extra data of users (e.g. present and comment)'),
('can_change_password', 'Can change its own password'),
('can_manage', 'Can manage users'))},
),
]

View File

@ -170,6 +170,7 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
"can_see_extra_data",
"Can see extra data of users (e.g. present and comment)",
),
("can_change_password", "Can change its own password"),
("can_manage", "Can manage users"),
)
ordering = ("last_name", "first_name", "username")

View File

@ -59,6 +59,7 @@ def create_builtin_groups_and_admin(**kwargs):
"motions.can_manage_metadata",
"motions.can_see",
"motions.can_support",
"users.can_change_password",
"users.can_manage",
"users.can_see_extra_data",
"users.can_see_name",
@ -89,6 +90,7 @@ def create_builtin_groups_and_admin(**kwargs):
permission_dict["mediafiles.can_see"],
permission_dict["motions.can_see"],
permission_dict["users.can_see_name"],
permission_dict["users.can_change_password"],
)
group_default = Group(pk=GROUP_DEFAULT_PK, name="Default")
group_default.save(skip_autoupdate=True)
@ -114,6 +116,7 @@ def create_builtin_groups_and_admin(**kwargs):
permission_dict["motions.can_create_amendments"],
permission_dict["motions.can_support"],
permission_dict["users.can_see_name"],
permission_dict["users.can_change_password"],
)
group_delegates = Group(pk=3, name="Delegates")
group_delegates.save(skip_autoupdate=True)
@ -138,6 +141,7 @@ def create_builtin_groups_and_admin(**kwargs):
permission_dict["mediafiles.can_see"],
permission_dict["mediafiles.can_manage"],
permission_dict["mediafiles.can_upload"],
permission_dict["mediafiles.can_see_hidden"],
permission_dict["motions.can_see"],
permission_dict["motions.can_create"],
permission_dict["motions.can_create_amendments"],
@ -146,7 +150,7 @@ def create_builtin_groups_and_admin(**kwargs):
permission_dict["users.can_see_name"],
permission_dict["users.can_manage"],
permission_dict["users.can_see_extra_data"],
permission_dict["mediafiles.can_see_hidden"],
permission_dict["users.can_change_password"],
)
group_staff = Group(pk=4, name="Staff")
group_staff.save(skip_autoupdate=True)
@ -165,6 +169,7 @@ def create_builtin_groups_and_admin(**kwargs):
permission_dict["motions.can_create_amendments"],
permission_dict["motions.can_support"],
permission_dict["users.can_see_name"],
permission_dict["users.can_change_password"],
)
group_committee = Group(pk=5, name="Committees")
group_committee.save(skip_autoupdate=True)

View File

@ -571,6 +571,8 @@ class SetPasswordView(APIView):
def post(self, request, *args, **kwargs):
user = request.user
if not (has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage")):
self.permission_denied(request)
if user.check_password(request.data["old_password"]):
try:
validate_password(request.data.get("new_password"), user=user)
@ -600,6 +602,8 @@ class PasswordResetView(APIView):
"""
Loop over all users and send emails.
"""
if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
self.permission_denied(request)
to_email = request.data.get("email")
for user in self.get_users(to_email):
current_site = get_current_site(request)
@ -667,6 +671,8 @@ class PasswordResetConfirmView(APIView):
http_method_names = ["post"]
def post(self, request, *args, **kwargs):
if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
self.permission_denied(request)
uidb64 = request.data.get("user_id")
token = request.data.get("token")
password = request.data.get("password")